I am trying to find a unique count on a pair of source and destination IPs in my stored records.
In elastic search, the mapping shows that the fields are being stored as an IP type, however when I try to compare the 2 IPs, to sort them, Elasticsearch throws an error, saying
"Cannot apply [>] operation to types [org.elasticsearch.index.mapper.IpFieldMapper.IpFieldType.IpScriptDocValues] and [org.elasticsearch.index.mapper.IpFieldMapper.IpFieldType.IpScriptDocValues]."
The reason I want to do this is because in some records in which the same IPs are stored, however in different srcIP and dstIP fields. I would like to eventually create a visualization based on the top 10 pairs but to do that, I must first try to figure this out.
Do you guys have any suggestions? This is my query so far... It's a little messy:
"aggs" : {
"ip_pairs" : {
"cardinality" : {
"script" : "if (doc['srcIP'] > doc['dstIP']) { doc['dstIP'].value + '-' + doc['srcIP'].value } else { doc['srcIP'].value + '-' + doc['dstIP'].value }"
}
}
}